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1  Introduction 


Causally-ordered  delivery  can  be  understood  as  a  generalization  of  FIFO  ordering  [vR93].  In  both, 
a  message  is  delivered  only  after  all  messages  on  which  it  may  depend.  With  FIFO  ordering,  this 
guarantee  applies  only  to  messages  having  the  same  sender;  with  causal  ordering,  this  guarantee 
applies  to  messages  sent  by  any  process.  Additional  motivation  for  and  examples  of  the  use  of 
causally-ordered  delivery  can  be  found  in  (Bir93,  vR93]. 

This  paper  gives  a  proof  system  for  causally-ordered  delivery.  Our  proof  system  is  similar 
in  style  to  the  satisfaction-based  logics  for  synchronous  message-passing  in  [LG81],  for  ordinary 
asynchronous  message-passing  in  [SS84],  and  for  flush  channels  in  [CKA93].  We  assume  familiarity 
with  the  terminology  of  that  literature. 

Reasoning  about  message-passing  primitives  for  causally-ordered  delivery  involves  a  global  prop¬ 
erty:  the  system-wide  causality  relation,  which  defines  what  messages  are  deliverable.  This  dis¬ 
tinguishes  causally-ordered  delivery  from  the  types  of  message  passing  for  which  axiomatic  se¬ 
mantics  have  already  been  given  (e.g.,  [LG81,  SS84,  CKA93]).  And,  our  work  demonstrates  that 
substantially  new  methods  are  not  required  when  message-delivery  semantics  depends  on  global 
information. 

A  program  proof  in  a  satisfaction-based  logic  involves  discharging  three  obligations: 

(1)  a  proof  outline  characterizes  execution  of  each  process  in  isolation, 

(2)  a  “satisfaction  prooP  validates  postconditions  of  receive  statements,  and 

(3)  an  interference-freedom  proof  establishes  that  execution  of  no  process  invalidates  an  as¬ 
sertion  in  another. 

Our  proof  system  for  causally-ordered  message-passing  is  similar,  except  step  (2)  is  merged  with 
step  (1).  (Such  a  merging  is  also  possible  for  other  satisfaction-based  proof  systems  that  handle 
asynchronous  commimication  primitives,  like  the  logics  of  [SS84]  and  [CKA93].) 

The  remainder  of  the  paper  is  organized  as  follows.  Section  2  defines  causally-ordered  message¬ 
passing.  Our  proof  system  is  the  subject  of  Section  3.  In  Section  4,  we  use  the  proof  system 
to  verify  an  asyndrronous  variant  of  the  distributed  termination  detection  algorithm  of  Dijkstra, 
Feijen,  and  van  Gasteren  [DPvG83].  Section  5  contains  some  conclusions. 
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2  A  Model  of  Causally-ordered  Message-passing 

We  give  an  operational  semantics  for  causally-ordered  message-passing  primitives  by  translating 
programs  containing  these  primitives  into  a  generic  concurrent  programming  language  that  has 
shared  variables.  The  shared  variables  represent  the  state  of  the  network. 

Processes  communicate  by  sending  and  receiving  messages.  To  encode  the  restrictions  implicit 
in  causally-ordered  delivery,  each  message  sent  is  modeled  in  our  translation  by  a  triple 
where^ 


d  is  the  data  being  sent  by  the  program, 
i  is  the  name  of  the  process^  that  sent  the  messi^e,  and 

t  is  a  timestamp  that  contains  information  used  to  determine  whether  the  message  is  ready 
for  delivery. 

The  following  functions  are  useful  in  connection  with  messages  represented  by  triples. 

data((d,t,t))  =  d 
sender  {{dfi^t))  =  i 
ts((d,i,t))  4  t 


Two  shared  variables  o*  and  ft  are  associated  with  each  process  i.  Variable  <Ti  contains  the 
(triples  modeling)  messages  sent  to  process  i;  ft  contains  the  (triples  modeling)  messages  process  i 
has  received. 

There  is  an  obvious  and  seemingly  simpler  alternative  to  using  variables  <7i  and  ft.  It  is  to  use 
a  single  variable  x*  (say)>  where  the  value  of  Xi  »»  the  set  of  messages  sent  to  process  t  but  not 
yet  received  (i.e.,  Xt  equals  -  ft).  The  model  we  use  has  two  advantages  over  this  one- variable 
model.  First,  in  our  model,  proving  interference  freedom  (defined  in  Section  3)  is  easier.  This  is 


because  no  process  can  falsify  m  €  o’*  or  m  €  ft;  predicate  m  €  x»  would  be  invalidated  by  the 
receiver.  Second,  proofs  of  some  programs  (such  as  the  example  in  Section  4)  involve  reasoning 
about  communications  history.  That  history  is  available  in  (t,  and  ft  but  is  not  available  in  Xi* 
Causally-ordered  delivery  restricts  when  a  message  can  be  received.  This  is  achieved  in  our 


■tr 


*  An  actual  impleinentation  of  causally-ordered  delivery  might  not  require  a  sender  name  t  or  timestsunp  t.  That 
information  is  us^  here  to  abstract  from  the  details  of  all  teal  implementations.  — — 

^Processes  are  named  0, 1, . . . ,  JV  -  1,  and  hereafter  identifiers  i,j,  k,  and  p  range  over  process  names.  ^  . 


'  r 


/god— 

Avail  aad/w 

Sp»oi«x 
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tranalftUoli  by  defining  a  well-founded  partial  order  -<  on  timestamps.  Our  definition  of  -<  is  based 
on  the  theory  of  [Lam78].  A  system  execution  is  represented  as  a  tuple  of  sequences  of  events; 
eadi  sequence  corresponds  to  the  execution  of  a  single  process.  An  event  is  a  send  event,  a  receive 
event,  or  an  internal  (i.e.,  non-communication)  event.  The  happens-before  (or  “potential  causality”) 
relation  for  a  system  execution  is  the  smallest  transitive  binary  relation  on  the  events  in  that 
execution  such  that: 

•  If  e  and  e'  are  performed  by  the  same  process  and  e  occurs  before  e',  then  e  -*  e'. 

•  If  e  is  the  send  event  for  a  message  m  and  e'  is  the  receive  event  for  that  message,  then  e  —*  e'. 

Causally-ordered  delivery  is  formalized  in  terms  of  — »  as  follows  [BSS91].  Let  8end{m)  and 
receive{m)  respectively  denote  the  send  event  and  receive  event  for  a  message  m. 

Causally-ordered  Delivery:  If  m  and  m'  are  sent  to  the  same  process  and  send(m)  -* 
send(m'),  then  receive(m)  — *  receive(m').^ 

To  implement  Causally-ordered  Delivery  using  timestamped  messages,  the  timestamps  and  -< 
are  chosen  to  satisfy 

ts(m)  -<  ts(m')  iff  send(m)  -*  send(m').  (1) 

Causally-ordered  Delivery  is  then  equivalent  to  requiring  that  a  message  m'  is  received  by  a  process 
p  only  after  p  has  received  all  messages  m  sent  to  p  for  which  ts(m)  -<  ts(m')  holds. 

One  way  to  achieve  (1)  is  to  use  vector  clocks  [Fid88,  Mat89].  Here,  a  vector  vti  of  type 
array[0..JV  —  1]  of  Nat  is  associated  with  process  t,  where  vti  satisfies: 

Vector  Clock  Property:  is  the  munber  of  send  events  that  are  performed  by 

process  j  and  causally  precede  the  next  event  to  be  performed  by  process  t. 

Partial  order  -<  is  defined  in  terms  of  vector  clocks,  as  follows. 

vti  vt2  =  (3t :  #  vt2l*l) 

vti  -<  trt2  =  (Vt :  <  vfyW)  A  vti  #  vt2 

’FIFO  delivery  can  also  be  fotmalised  in  terms  of  FIFO  delivery  ensnies  that  if  m  and  m'  are  sent  by  the 
same  process,  to  the  same  process,  and  tend(m)  ->  sead(m'),  then  receive(m)  -*  recetve(m').  The  close  analogy 
between  FIFO  delivery  and  cansaily-ordered  delivery  should  now  be  evident. 
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Three  rules  define  how  the  vti  axe  updated  in  order  to  m^tain  the  Vector  Clock  Property. 
Since  (mly  send  events  and  receive  events  are  of  interest,  vector  clocks  are  updated  only  when 
send  and  receive  statements  are  executed.  Let  tnc(v^t)  denote  vector  vt  with  the  component 
incremented  by  one.  The  rules  are: 

Initialization  Rule:  Initially,  td,l;]  =  0  for  all  t  and  j. 

Send  Update  Rule:  When  process  t  sends  a  message  m,  it  updates  vti  by  executing 


vti  :=  inc(vti,i) 

and  includes  updated  vector  vt.  as  the  timestamp  attached  to  m. 

Receive  Update  Rule:  When  a  process  t  receives  a  message  m,  it  updates  vti  by 
executing 

vti  •=  max(vft,  ts(m)), 

where  max(vt,  vt')  is  the  component- wise  maximum  of  the  vectors  vt  and  v^. 

We  now  give  our  translation  of  send  and  receive  statements  into  statements  that  read  and  write 
shared  variables  <Xi  and  pi.  The  following  notation  is  used  to  describe  the  multiple-assignment 
[Gri76]  of  ei  to  xu  ej  t0X2, and  e«  to  z„: 


/xt\ 

X2 


A  send  statement  send  e  to  t  in  process  j  is  translated  into: 


Vtj 

Oi 


inc(vtjj) 
<rie(e,j,inc(vtj,j)} 


(2) 


where  s  0  x  =  s  U  {x}. 

The  translation  of  a  receive  statement  requires  a  conditional  delay.  Statement  await  B  then  S 
delays  until  B  holds  and  then  executes  5  as  a  single  indivisible  operation  starting  from  a  state 
that  satisfies  B.  A  receive  statement  receive  x  in  process  t  delays  tmtil  a  message  is  available 


J 
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for  ncdpi  and  tlwn  updates  x,  pt,  and  vt«.  In  particular,  to  ensure  causally-ordered  delivery, 
rec^vu  X  dday>  until  there  exists  some  message  m  that  has  been  sent  to  i  but  not  received  and 
sudi  th**  all  messages  m'  that  have  been  or  will  be  sent  to  *  for  which  ts{m!)  -<  ts(m)  have  been 
received. 

For  a  set  i4  of  triples  modeling  messages,  choo8e{A)  and  minset{A)  are  assumed  to  satisfy 


ckooseiA)  6  A  provided  ^4  /  0  (3) 

minsetiA)  =  {m  €  ^4  |  (Vm^  €  A  :  -'(ts(m')  -<  ts(m)))}  (4) 

A  receive  statement  receive  x  in  process  i  is  translated  as  follows,  where  mj  is  a  fresh  variable, 
await  <Ti  —  Pi  ^9  then  nti  :=  choo8€(fninset(<Ti  —  pi)) 

X  :=  data(mi) 

(5) 

vti  :=  max(»ti,  ts(m,)) 

Pi  :=  Pi  ®mi 

To  show  that  code  fragments  (2)  and  (5)  correctly  implement  Causally-ordered  Delivery,  con¬ 
sider  some  message  m  that  is  received  by  a  process  i.  We  must  show  that  no  message  m'  subse¬ 
quently  received  by  process  i  satisfies  send{rnf)  —*  sendirn).  Suppose  such  a  message  m'  exists. 
By  (1),  U(rn')  ■<  ts(m).  Message  m'  could  not  be  in  when  m  is  received,  since  m  is  selected 
from  a-mnng  the  elements  of  <r<  with  minimal  timestamps.  Thus,  m'  must  be  added  to  Oj  after  m 
is  received.  We  show  that  this  is  impossible  by  proving:  For  all  messages  m  and  m',  if  m'  is  added 
to  after  m  has  been  added,  then  -<  ts(m)). 

First,  observe  that  the  following  holds  throughout  execution  of  a  program. 

(Vj,k:  vtj[k]  <  A  (Vm  €  <Tj  :  fa(m)[fcj  <  efyl*]))  (6) 

Initially,  this  holds  because  for  all  j  and  *,  =  0  and  a,  =  0.  Only  send  and  receive  statements 

change  the  values  of  these  variables,  so  it  suffices  to  show  that  our  translations  of  these  statements 
preserve  (6),  which  is  easily  done. 

Finally,  we  show  that  -•(fs(m')  -<  fr(m)).  This  is  implied  by  {3k  :  fs(m')[l!]  >  t«(m)[fc]),  which, 
in  turn,  follows  from  U{m')\j]  >  fr(m)[;]  where  j  is  the  sender  of  m'.  The  latter  holds  because 
fr(m')ljl  =  vtj\j]  -1- 1  >  vtj\j]  >  fr(m)|jl,  where  the  equality  follows  from  the  translation  of  send 
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statemoits,  the  strict  inequality  follows  firom  standard  arithmetic,  and  the  nonstrict  inequality 
follows  firom  (6). 


3  Axioms  for  Send  and  Receive 

We  can  now  present  Hoare-style  axioms  [Hoa78]  for  the  send  and  receive  statements  described 
above. 

Given  the  above  translation  of  send  e  to  t  into  a  multiple-assignment  statement,  we  use  the 
multiple-assignment  axiom  [Gri76]  to  obtain  an  axiom  for  the  send  statement.  The  notation  e[xi  := 
Cl,  ...>  :=:  e«]  denotes  the  simultaneous  substitution  of  each  term  for  the  corresponding 

variable  Xi  in  a  term  e.  Validity  of  the  following  triple  follows  immediately  firom  the  multiple- 
assignment  axiom: 

{P[irt,  :=  inc{vtjj),  at  :=  (Ti  ©  <e,  j,  j))]} 


Vtj 
(Ti 

{P} 


inc{vtjj) 
<Ti®{e,j,incivtiyj)) 


Thus,  we  have 

Send  Axiom:  For  a  send  statement  in  process  j: 

{P[vtj  :=  inc(vtjj),  Oi  :=  ©  <e,j,tnc(»t,,j))]}  send  e  to  i  {P} 


(7) 


An  inference  rule  for  receive  statements  is  obtained  using  translation  (5)  of  receive  x.  Using 
axiom  (3)  for  choose,  the  usual  rules  for  assignment  and  sequential  composition,  and  this  inference 
rule  for  await  statements  [OG76] 

Await  Rule: 


{PA.B}5{Q} 


(8) 


{P}  await  B  then  S  {Q} 
we  can  show  that  {P}  receive  x  {Q}  is  valid  iff  the  following  Predicate  Logic  formula  is  valid: 

P  A  mi  €  minsetioi  —  pi) 

=>  Q[x  :=  dato(mi),  vt,  :=  max(vfi,  ts(mi)),  Pi  :=  Pi  ®  >7ii]. 

Thus,  the  inference  rule  for  receive  statements  is 
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nac«iv«  Eute:  For  a  rec«iv«  statanent  in  procos  j: 


P  A  m<  €  minset{cTi  -  pi) 

=»  Q[x  :=  daia(mi),  vij  :=  max(vii,  tsinu)),  P«  :=  ft  ©  rui) 
{P}  receive  x  {(?} 


(9) 


Interference  FVeedom 

The  preceding  rules  for  send  and  receive,  together  with  rules  for  other  statements  and  the  usual 
miscellaneous  rtiles  of  Hoare  logics  (e.g.,  the  Rule  of  Consequence),  can  be  used  to  construct  a  proof 
outline  for  eadt  process  in  isolation.  A  proof  outline  is  a  program  annotated  with  an  assertion  before 
and  after  every  statement.  A  proof  outline  characterizes  the  behavior  of  a  process  assuming  that 
no  other  process  invalidates  assertions  in  that  proof  outline.  The  proof  outlines  for  processes  that 
execute  concurrently  are  combined  to  obtain  a  proof  outline  for  the  entire  system  by  showing 
interference  freedom  [OG76] —  that  no  process  invalidates  assertions  in  the  proof  outline  of  another 
process. 

In  a  proof  outline  PO,  the  assertion  that  precedes  a  statement  S  is  called  the  precondition  of 
5  and  is  denoted  pre(S),  the  assertion  that  follows  a  statement  S  is  called  the  postcondition  of  5 
and  is  denoted  post{S),  and  we  write  pre{PO)  and  po8t{PO)  to  denote  the  first  and  last  assertions, 
respectively,  in  PO.  We  write  {P}  PO  {<?}  to  denote  the  triple  obtained  by  changing  pre(PO)  to 
P  and  po8t{PO)  to  Q. 

An  assertion  P  appearing  in  a  proof  outline  POi  is  interference  free  with  respect  to  proof 
outlines  POi, . . . ,  PO/r  if  for  all  assignments,  sends,  and  receives  5  in  a  difierent  proof  outline  than 
P. 

{PApre{S)]S{P}  (10) 

is  valid.  This  is  because  (10)  asserts  that  execution  of  S  does  not  invalidate  P.  Assignment  to 
variables  is  the  only  way  to  invalidate  an  assertion.^  Since  our  translations  for  send  and  receive 
contain  assignments,  the  interference  freedom  obligations  require  checking  (10)  for  each  send  and 
receive  statement,  as  well  as  for  eadi  assignment  to  an  ordinary  program  variable. 

Proof  outlines  POi, . . . ,  POs  are  interference  free  if  all  assertions  P  in  the  proof  outlines  are 
interference  free  in  POi, . . . ,  POs-  This  leads  to  the  following  inference  rule. 

*Thi8  is  actually  an  assumption  about  the  assertion  language.  For  example,  it  rules  out  allowing  control  predicates 
in  assertions. 


8 


Parallel  Composition  Rule: 

POi ,  . . .  ,  POn  PO\ , . . . ,  POs  are  interference  free 
{A<pre(PO0}  [POi  II  ...  II  POn]  {^iVost{POi)) 

Note  that,  in  contrast  to  the  logics  for  asynchronous  conununication  in  [SS84]  and  [CKA93], 
our  parallel  composition  rule  does  not  have  a  “satisfaction”  obligation.  This  is  not  an  artifact  of 
causally-ordered  message-passing;  the  logics  of  [SS84J  and  (CKA93]  could  be  similarly  formulated. 


4  Example:  Distributed  Termination  Detection 


To  illustrate  our  proof  rules,  we  give  a  proof  outline  for  the  termination  detection  algorithm  of 
[DFvG83].  Validity  of  this  proof  outline  shows  that  the  algorithm  correctly  detects  quiescence  in 
systems  of  processes  that  communicate  using  causally-ordered  message-passing.  Our  proof  outline 
is  based  on  the  correctness  argument  given  in  [DFvG83],  modified  for  causally-ordered  delivery 
instead  of  the  synchronous  communication  assumed  there.^ 

The  algorithm  is  intended  for  use  in  systems  where  processes  behave  as  follows:  At  each  instant, 
a  process  is  either  active  or  quiescent,  where  the  only  action  possible  by  a  quiescent  process  is  receipt 
of  a  message.  A  quiescent  process  may  become  active  upon  receipt  of  a  message;  an  active  process 
becomes  quiescent  spontaneously.  Each  process  i  has  the  form 


Initi 

do 


D  gij  — ►  send  eij  to  j 

Sij 

[]  receive  Xi  — »  Hi 


(12) 


od 

where  the  gtj  are  boolean  expressions,  and  Initi,  Sij,  and  Hi  are  statements  that  do  not  contain 
communication  statements.  Such  a  process  i  is  quiescent  iff  each  guard  gij  is  false.  This  is  formalized 


by: 


9*  =  ■'(V  Sij) 
j 

In  the  algorithm  of  [DFvG83]  a  token  circulates  among  the  processes.  This  introduces  a  new 
kind  of  message,  which  we  call  a  token  message.  To  distinguish  it  from  the  messages  in  the  original 


*Iit  (AptSS],  the  partial-comctness  argument  of  pPvGSS]  is  foimaUsed  and  some  additional  properties  of  the 
algorithm  are  proven. 
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ccmiputation,  hereafter  called  basic  messages,  we  use  a  predicate  istoii(data(m))  that  holds  exactly 
when  m  is  a  tolren  message.  Note  that  a  process  of  the  form  (12)  cannot  send  basic  messages  to 
itself.*  Define: 


ff*®*  =  {m  €  tTt  I  istok(data(m))} 
p*®*  =  {m  6  Pi  1  istok(data(m))} 

Xij  =  {m  €  (Tj  -  pj  I  -^istok{data{m))  A  sender{m)  =  t} 

The  system  is  quiescent  if  every  process  is  quiescent  and  no  messages  are  in  transit.  Thus,  the 
system  is  quiescent  iff  the  following  predicate  Q  holds. 

Q4(Vi:  ftA(Vi:  XiJ  =  »)) 


A  color,  either  black  or  white,  is  associated  with  each  process.  For  each  process  t,  we  introduce 
a  boolean  variable  bi  such  that  bi  is  true  iff  process  t  is  black.  The  detection  algorithm  sets  b, 
to  true  when  process  i  sends  a  basic  message;  its  sets  bi  to  false  when  i  sends  a  token  message. 
Therefore,  we  can  assert  that  bi  holds  if  process  t  has  a  sent  a  basic  message  since  it  last  sent  a 
token  message.  This  is  formalized  as  an  assertion  in  terms  of  the  following  state  function:^ 

Ixi:  The  largest  timestamp  in  {m  €  Uy  I  sender(m)  =  i},  if  such  a  timestamp  exists; 
otherwise  0. 

The  assertion  is  now  formalized  as: 

Ji  =  (Vt :  (3j  :  (3m  €  Xij  •’  ^i  ■<  <«(”»)))  =►  &<) 

The  algorithm  proceeds  as  a  sequence  of  rounds.  One  process  serves  as  the  initiator  for  all 
rounds;  it  starts  each  round  by  sending  a  token  message.  Without  loss  of  generality,  assume 
process  0  is  the  initiator.  In  each  round,  the  token  is  received  by  every  process  exactly  once,  ending 
with  the  initiator.  We  define  the  token  to  be  at  position  i  if  it  has  been  sent  to  process  i  and  not 
subsequently  sent  by  process  t;  we  say  that  the  token  visits  a  process  when  the  token  has  been 
received  by  but  not  sent  from  that  process.  For  each  process  i,  we  introduce  a  new  variable  h,  that 

*T]iis  restriction  is  not  needed  for  correctness  ot  the  algorithm;  we  adopt  it  here  because  simplifies  the  correctness 
proof  slightly. 

^The  name  bti  is  a  mnemonic  for  “last  transmission”  of  the  token  by  process  i. 
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is  true  iff  the  token  is  visiting  process  i. 

In  each  round,  the  token  visits  the  processes  in  descending  order  by  process  name.  Thus,  the 
token  visits  process  N  —  I,  iV  —  2,  . ..,  0,  and  the  current  token  position  is  given  by  the  state 
function: 


tp4 


t  -  1  if  (Vj  /  i  :  Ixj  ■<  Ixi) 
N  —  I  otherwise 


Note  that  all  arithmetic  on  process  names  is  modulo  N. 

An  assertion  Jtok  says  that  the  N  most  recent  sends  of  token  messages  are  totally  ordered  by 
causality.  This  is  equivalent  to  stipulating  that  the  timestamps  on  these  token  messages  form  an 
ascending  sequence;  for  example,  if  tp  N  —  1,  then  Ixtp  <  Ixtp-i  <  ^  Ixq  •<  Ixjv-i  ^  Ixn-2  ^ 

•  •  •  r<  htp+i-  Formally, 

Jtok  =  (Vi  7^  tp  :  Ixi+i  <  hi) 


An  assertion  relating  the  timestamps  of  token  messages  to  the  timestamps  of  basic  messages  is 
also  needed.  For  this,  we  use  an  assertion  Jhaai  whose  informal  interpretation  is  as  follows. 

Let  m  be  a  basic  message  sent  from  i  to  k  that  was  sent  before  the  transmission  of  the 
token  by  the  sender.  If  m  was  sent  in  the  same  direction  that  the  token  travels  (i.e.,  if  k  <  t), 
then  m  must  be  delivered  before  the  a**  transmission  of  the  token  by  the  receiver.  If  m  was  sent 
in  the  other  direction  (i.e.,  if  *  <  fc),  then  m  must  be  delivered  before  the  (o  +  1)*‘  transmission 
of  the  token  by  the  receiver.  Jba»  holds  throughout  execution  of  the  algorithm  because  causally- 
ordered  message-passing  is  used  for  all  messages — the  values  of  timestamps  are  consistent  with  this 
ordering.  We  formalize  the  assertion  using  an  additional  state  function. 

nhi’.  The  second  largest  timestamp  in  {m  €  I  sender{m)  =  i},  if  such  a  timestamp 

exists;  otherwise  0. 

JbaM  =  (Vi,  k:  Vm  G  Xi,*  :  (13) 

{k  <tp  <i  =»  nhi  ■<  ts{m)) 

A  (k  <  iA  ->(k  <tp<i)  =>  hi  ~<  ts(m)) 

A  (i  <  tp  <  k  =>  hi  -<  ts(m)) 

A  (i  <  k  A  -'(i  <  tp  <  k)  =>  nhi  -<  i^(m))) 

Assertions  Ji,  Jt<u,  and  Jtok  contain  all  of  the  information  about  message-delivery  order  needed 
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for  correct  operation  of  the  algorithm.  We  encapsulate  this  information  as  a  single  assertion  J: 


J  =  JlA  Jiat  A  Jtok 


As  with  processes,  a  color,  either  black  or  white,  is  associated  with  the  token.  The  color  of  the 
token  is  represented  as  before — black  is  encoded  as  true,  and  white  is  encoded  as  false.  While  in 
transit,  this  boolean  value  is  included  in  each  token  message;  while  the  token  is  visiting  a  process 
*,  a  new  variable  U  is  used  to  store  the  color  of  the  last  token  message  received  by  process  i. 

Given  a  boolean  value  c,  mktok{c)  denotes  a  token  value  whose  color  is  c.  The  color  of  the 
token  is  extracted  using  a  selector  tokval.  Thus,  istok{mktok{c))  =  true  and  tokval{mktok{c))  =  c. 
In  each  round,  the  token  is  initially  white.  It  becomes  black  (if  it  isn’t  already)  when  it  visits  a 
process  *  (i.e.  h,  equals  true)  that  is  black  (i.e.  6,  equals  true).  Thus,  the  token  becomes  black 
when  it  visits  a  process  that  has  sent  a  basic  message  since  last  sending  a  token  message,  and  the 
current  token  color  is  given  by: 


tip  V  btp  if  hfp 


tokval{data{rn))  if  -yhtp  A  m  6 
true  otherwise 


A  ts{m)  =  ttp+i 


We  also  add  to  each  process  i  a  new  variable  yi,  which  is  used  for  tempor^U7  storage  of  received 
values. 

When  the  token  returns  to  the  initiator,  if  either  the  initiator  or  the  token  is  black,  then  the 
initiator  starts  another  round.  If  both  are  white,  then  the  system  is  quiescent  (i.e.,  Q  holds).®  This 
fact  is  implied  in  the  proof  outlines  of  Figure  1  by  the  Q  in  the  precondition  for  the  second  branch 
of  the  alternation  statement  RELAY q. 

The  operation  of  the  algorithm  is  succinctly  characterized  by  K,  where  K  =  Ki'\/  K2V  Kz  and: 


Ki  4  (Vt  >  tp  :  g,  A  (Vk  :  Xi,k  =  ®)) 

A  (htp  =>  (VA  >  tp  :  xtp,k  =  9)) 

K2  =  (3t  <  tp  :  6i) 

Kz  4  tc 

*Here,  the  initiator  does  not  take  any  special  action  when  quiescence  is  detected.  A  round  of  communication  could 
easily  be  added  to  notify  each  process  that  quiescence  has  been  detected. 
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Informally,  Kx  says  that  every  process  visited  by  the  token  in  the  current  round  is  quiescent  and  no 
basic  message  sent  by  one  of  these  processes  is  in  transit.  Moreover,  if  the  token  is  visiting  process 
tp,  then  no  basic  messages  sent  by  process  tp  are  in  transit  to  processes  the  token  has  visited  in 
this  round.  K2  says  that  some  process  not  already  visited  by  the  token  during  the  current  round 
is  black.  Finally,  K3  says  that  the  token  is  black. 

Assertions  J  and  K  are  not  quite  strong  enough  to  prove  correctness  of  the  algorithm.  An 
assertion  I  that  expresses  several  simple  properties  of  the  algorithm  (e.g.,  that  there  is  always  at 
most  one  token  message  in  the  system)  is  also  needed.  Thus,  we  define  I  =  /  A  J  A  K,  where 

A(Vm  €  ai  :  ts(m)  <  «<*en<ier(m)) 

A(Vm  €  <Ti  :  ts{m)  <  vti  ^  m  S  Pi) 

A(Vm  G  Pi  :  <s(m)  ^  vti) 

Ai\af>^-p^'‘\<l) 

A((hi  V  =»  tp  =  i) 

A{hi  ^  ic^'‘  #  0  A  (Vj  :  (jf  =  pf ))) 

A(<r,-®*  =  {m  €  1  sender{m)  =  t  +  1}) 

A(total{{m  €  ]  sender{m)  =  t})) 

A(toto/(U;a**’*)) 

A(iti  :<  vti) 

A(Xm  =  0)) 

and  total{S)  holds  iff  {<  |  (3m  €  S  :  ts{m)  =  t)}  is  totally  ordered  by  -<. 

Proof  outlines  for  processes  augmented  to  detect  termination  appear  in  Figure  1.  The  Appendix 
contains  a  detailed  justification  of  the  proof  outlines. 

Angle  brackets  indicate  that  the  enclosed  statement  is  executed  atomically  [LamSO].®  Also, 
communication  statements  may  appear  in  guards,  so  we  use  the  following  proof  rule  for  iteration 
statements: 

*Angle  brackets  are  not  actually  necessary  for  correctness.  They  do  simplify  the  proof  slightly,  so  we  have  elected 
to  use  them. 
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Proof  Outline  for  Proc^  i 

{I  A  -.Ai  A/p  >  t  A  (*  =  0  =►  (Vj  :  =  0))} 

JNITi  {1} 

do 

0  9ij  ^  ^  9ij } 

bi  :=  true  {I  A  tfij  A  64} 
send  Cy  to  j  {I  A  gij) 

Sij  {1} 

n  receive  yi  — ►  {If^(->i8tok(yi)  =►  K[qi  :=  /tt^»e]) 

^{iatok{yi)  tp  =  i  A->hi  Ate  =  tokval{yi))} 
if  i3tok{yi)  — ►  {I  A  <p  =  t  A  --/14  A  tc  =  tokval{yi)} 

{hi :=  /rue 

ti  :=  /£)fct;oi(yj))  W 

n  -yistokiyi)  — ►  {I  A  K{qi false]} 

Xi  ~yi  {X  A  K[qi  :=  faUe]} 

Ri  {1} 

fi  {1} 

n  qi  Ahi  — *  {X  Aqi  A  ftt} 

RELAY  i  {1} 
od 
{1} 

INITo  =  send  mktokifalse)  to  JV  -  1  {X  A  -<ho  A  /p  >  0} 

Inito 

RELAY  a  =  if  (/o  V  i>o)  —  {I  A  ho} 

(send  mktokifalse)  to  N  —  1 
ho  :=  false 
bo  :=  /otoc)  {X} 

[]  “'(/o  V  60)  — *  A  <?} 

(*  qiiiescent  *) 
skip  {X} 
fi 

For  0  <j  <  N: 

INITj  =  Iniij 

RELAY,  =  (send  mktok{tj  V  bj)  to  j-1 
hj  :=  false 
bj  :=  false) 


Figure  1:  Proof  Outlines 
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Iteration  Rule: 


For  t  €  {l.-iV],  {/Aft}  Ci  iPi}  POi  {/} 

{7} 

do 

D  9i\Ci-^{Pi} 

POi 

{1} 

od 

{/A-’(V»e(i../r|pt)} 


(14) 


Here,  pj  is  a  boolean  expression  and  Ci  is  a  receive  or  skip  statement.^^  One  might  expect  there  to  be 
an  assertion  between  gi  and  C,  in  the  rule’s  conclusion.  Expression  p,-  contains  program  variables 
of  only  process  t,  so  pi  cannot  be  invalidated  by  execution  of  another  process.  In  particular, 
interference  cannot  occur  even  if  evaluation  of  pi  and  execution  of  Ci  are  not  performed  as  a  single 
indivisible  action.  Thus,  there  is  no  need  to  make  the  assertion  explicit. 

To  illustrate  reasoning  about  receive  statements,  we  give  a  detailed  proof  for  the  triple 


{1}  receive  pi  (I  A  [piatok{yi)  =►  K[qi  :=  false])  A {istok{yi)  tp  =  i  A->hi  Ate  -  tokval{yi))} 

(15) 

This  triple  arises  as  a  hypothesis  in  the  application  of  the  Iteration  Rule  to  the  mam  loop  of  each 
process.  The  triple  expresses  a  crucial  fact  about  the  algorithm — that  activation  of  a  process  (i.e., 
the  changing  of  qi  to  false)  by  reception  of  a  basic  message  does  not  falsify  K.  By  Receive  Rule 
(9),  we  can  deduce  (15)  from 


I  Ami  £  <Ti  —  Pi  ^  {I  A  (■' wfot(y»)  =>  K[qi 
where  for  any  term  t, 


false])  A  (istok{yi)  =►  tp  =  i  A  -<hi  Atc=  tokval(yi)))' 

(16) 


t'  =  t\3li  :=  dofo(mi),  vti  :=  max(»ti,  ts{mi)),  ft  :=  ft  ®  mi] 
We  show  in  the  Appendix  that  X  =>1*  ia  valid.  Here,  we  6rst  show  that 


lAmi£ai-piA  -<istok(yi)  =>  K[qi  :=  false]  (17) 


‘"The  guard  “ftakip”  is  abbreviated  “p”;  the  guard  “true; receive  x”  is  abbreviated  "receive  x”. 
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It  vtUd.  We  tatume  the  entecedent  end  prove  the  consequent.  Note  that 

K[qi  :=  falsey  =  faUe]  V  /Cj  V  K3) 

Thus,  if  Ki  or  K3  holds,  then  so  does  (17).  Suppose  neither  K2  nor  Kz  holds.  Since  I  holds 
by  assumption,  K  must  also  hold,  so  Ki  must  hold  as  well.  We  now  show  that  in  this  case, 
==  false]  holds.  First,  note  that  Ki  holds;  this  follows  easily  from  the  fact  that  K\  holds. 
The  proof  proceeds  by  case  analysis  on  the  relative  values  of  i  and  ip. 

case  t  <  tp‘.  K'l  does  not  depend  on  the  qj'a  for  j  <  tp.  Therefore,  since  K[  holds,  so  does 
K[[qi  :=  false]. 

case  i  >  tpx  We  show  that  this  case  is  impossible.  Let  k  =  sender (m«).  From  the  antecedent  of 
(17)  and  the  definition  of  xs,t,  we  conclude  vm  €  Xfc,i- 

case  k  <  tpi  Instantiating  the  universally  quantified  variables  i  and  k  in  with  k  and  t, 
respectively,  we  conclude  (using  the  third  coi^unct  of  Jsoj)  that  Ixk  ■<  tsirm).  Using  Ji, 
this  implies  that  hk  holds,  which  implies  that  K2  holds.  This  contradicts  the  assumption 
above  that  neither  K2  nor  Kz  hold. 

case  k  >  tpi  By  assumption,  K\  holds,  so  (V;  :  Xkj  =  so  Xk,i  —  From  the  antecedent 
of  (17),  we  have  -iMto*(y{)  (i.e.,  ->istok{dcAa(mi)))  and  €  Oj  -  pi,  so  by  definition  of 
Xfc,i,  we  have  m,-  €  x*,«>  *  contradiction. 

Finally,  consider  showing  that  (istokiyi)  =»  tp  =  *  A  -ifii  A  tc  =  tokval(yi))'  holds  whenever  the 
antecedent  of  (16)  holds.  This  is  equivalent  to  showing 

lAmiSaj  —  PiA  istok{data{mi))  =^tp  =  ip,  ->hi  A  tc  =  tokval{data{mi))  (18) 

We  assume  the  antecedent  and  prove  the  consequent.  FVom  the  antecedent,  we  conclude  m,  € 
-  pj**.  Thus,  aj**  pf*,  so  by  coiyimct  (Vi  :  (hi  V  a*®*  ^  p^)  =>  tp  =  *))  in  I,  tp  =  i 
holds.  We  next  show,  by  contradiction,  that  -<h«  holds.  Suppose  not;  then  hi  holds,  so  (using  /), 
<7^0*  =  which  contradicts  m<  6  a*®*  -  p|®*.  Finally,  we  show  that  tc  =  tokval{data(mi)).  Prom 
Wt*  ~  ^**1  ^  1;  thus,  rUt  is  the  only  unreceived  message  in  a*®*,  so  ruj  must  have  the  largest 
timestamp  in  so  ts(mi)  =  fri+i-  together  with  ->hi,  implies  tc  =  tokval(data(mi)). 
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Comparison  to  Related  Work 

The  first  correctness  argument  applicable  to  this  distributed  termination  detection  algorithm  in 
an  asynchronous  setting  is  (to  the  best  of  our  knowledge)  an  operational  arg\iment  due  to  Raynal 
and  Helary  [RH90].  Proposition  3.8.1  in  [RH90]  establishes  partial  correctness  a-wuming  that  the 
message-delivery  order  satisfies  a  property  P.  Our  proof  assumes  causally-ordered  delivery,  which 
implies  our  predicate  Jba*’t  •fsu  is  similar  to  but  slightly  stronger  than  property  P  of  [IIH90]. 

Another  operational  (albeit  more  formal)  proof,  by  Charron-Bost  et  al,  appears  in  [CBMT92]. 
It  shows  correctness  of  this  termination  detection  algorithm  for  systems  that  communicate  using 
causally-ordered  message-passing.  The  proofs  there  differ  considerably  from  the  invariant-based 
analysis  of  the  synchronous  case  in  [DFvG83].  In  fact,  Charron-Bost  et  al  claim  that  correctness 
proofs  for  all  algorithms  that  use  causally-ordered  delivery  ‘^ust  consider  the  execution  as  a  whole, 
rather  than  concentrate  on  assertions  that  remain  invariant  in  each  global  state”  ([CBMT92],  p. 
34).  The  existence  of  our  proof,  which  is  an  invariant-based  analysis,  refutes  this  claim. 

5  Conclusions 

We  have  presented  a  Hoare-style  proof  system  for  causally-ordered  delivery.  Through  an  example, 
we  have  demonstrated  the  feasibility  of  our  approach  to  reasoning  about  causally-ordered  deliv¬ 
ery.  The  example,  a  distributed  termination  detection  algorithm,  has  been  treated  using  other 
approaches,  so  there  is  now  an  opportunity  to  compare  those  approaches  with  the  one  in  this 
paper. 

The  fact  that  a  correctness  proof  for  causally-ordered  delivery  can  be  based  closely  on  the 
analysis  of  a  synchronous  version  is  a  significant  benefit  of  the  approach  discussed  in  this  paper. 
We  support  a  two-step  approach  to  verifying  algorithms  that  use  asynchronous  message-passing 
(GriOO): 

1.  Verify  a  synchronous  version  of  the  algorithm  (presiunably  a  simpler  task). 

2.  Modify  the  algorithm  and  the  proof  to  obtain  a  correctness  proof  for  the  asynchronous  version 
of  the  algorithm. 

One  benefit  of  this  two-step  i^proach  is  that  it  leads  naturally  to  a  focus  on  and  accurate  determi¬ 
nation  of  the  ordering  requirements  needed  by  the  algorithm.  An  interesting  question  is  the  extent 
to  which  this  approach  can  be  made  formal  and  systematic. 
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A  Proof  of  Correctness 

We  show  that  the  proof  outlines  in  Figure  1  are  valid.  We  discuss  only  the  triples  for  non-composite 
statements.  It  is  easy  to  prove  validity  of  the  proof  outlines  in  Figure  1  using  these  results  and  the 
inference  rules  for  sequential  composition,  iteration,  and  alternation.  The  triples  for  non-composite 
statements  that  arise  in  the  proo&  for  each  process  in  isolation  are  listed  in  Figure  2.  Proving 
invariance  of  /  is  straightforward,  so  we  omit  those  details.  For  brevity,  we  sometimes  content 
ourselves  with  giving  an  informal  explanation  for  why  a  triple  is  valid;  based  on  this,  the  reader 
should  have  little  difficulty  constructing  a  formal  proof. 
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R»0<<<  JV: 


Tl:  {JA-^hiMp>i}JnUi{I} 

T2  :  {lA^,}6i  :=»  Afcj} 

T5 :  {I  A  A  hi)  send  e*,  to  j  {I  A 
T4:  {XA9ii}Sij{J} 

T5  :  {1}  receive  tn  {lA(-’uto4(yj)  =e-  K[qi  :=  ftUse]) 

A{i$tok(yi)  =>tp^iA  -*hi  Aic=  iokval(pi))} 

T6  :  {Z  A  tp  =  i  A  ~<hi  A  te  =  Ufkval(pi)}  {hi  :=  true  U  :=  tokvaI{yi))  {Z} 

T7  :  {Z  A  :=  foist])  x,  :=  ift  {Z  A  :=  falae]} 

T8:  {I  A  K[qi  :=  faUe]}  Ri  {1} 

T9 :  {Z  A  ft  A  hj}  (send  mktok{ti  V  fci)  to  t  - 1  h<  :=  false  hi  :=  false)  {!) 

TIO  :  {Z  A  ->ho  A  <}»  >  0  A  (Vj  ;  aj*  =  •)}  send  nUOokifalse)  to  AT  -  1  {Z  A  -i^o  A  tp  >  0} 
Til :  {Z  A  -.fto  A  tp  >  0}  Inito  {Z} 

T12  :  {Z  A  Ao}  (send  mktok{fe^e)  to  N  -I  Ao  :=  false  bo  :=  false)  {1} 


Figure  2:  Triples  for  non-composite  statements. 
A.l  Proof  for  Process  ;  >  0  in  Isolation 


Tl;  (ZA-.^  Atp>*}/iV/r<{Z} 

Since  t  >  0,  INITi  is  /ntt«.  J  is  unaffected  execution  of  Jniti  because  IniU  neither  sends  nor 
receives  messages.  To  see  that  K  is  also  unaffected,  note  that  the  only  variables  that  appear  in  K 
and  can  be  assigned  by  foitj  are  those  appearing  in  ft,  and  that  K  is  independent  of  ft  for  t  <  tp. 
The  precxmdition  of  Tl  implies  t  <  tp,  so  iif  is  not  invalidated  by  INITi. 

T2  :  {Z  A  ft,}  hi  ;=  true  {Z  A  fty  A  ftj} 

J  is  unaffected  execution  of  this  statement.  Variable  hi  occurs  only  positively  in  K,  so  setting 
hi  to  true  never  falsifies  K.  Finally,  b,-  does  not  appear  in  ,  so  the  assignment  to  hi  does  not 
falsify  ftj. 


T3  :  {Z  A  ft,-  A  bj)  send  to  j  {X  A  ft,  } 

We  iMTOve  invariance  of  J  as  follows.  Ji  is  preserved  because  hi  holds.  Jua  is  imaffected  because 
the  message  bring  saat  is  not  a  token  message.  Let  m  denote  the  element  added  to  <Tj  by  executing 
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this  8tatanent.  To  show  that  is  preserved,  it  siiffices  to  show  that  In  ■<  ts(m)  and  nlxi  ■<  ts(m) 
hold,  since  Jtat  is  then  satisfied  regardless  of  which  conjunct  applies  to  this  message.  By  definition 
of  the  send  statement,  ts(m)  =  inc(vti,i),  so  (by  definition  of  -<)  vti  -<  ts(m).  From  I,  we  have 
^  vti,  so  by  transitivity  of  -<,  ki  -<  ts(m).  It  follows  from  the  definitions  of  ki  and  nki  that 
nki  ^  ki,  so  by  transitivity  of  nki  ~<  ts(m).  Thus,  is  preserved. 

The  proof  that  K  is  preserved  is  by  case  analysis  on  the  disjimct  of  K  that  holds  initially. 

csuw  K\i  In  this  case,  tp  >  t  must  also  hold,  since  i  >  ip  and  K\  imply  qi,  contradicting  gij  in  the 
precondition  of  T3.  Since  i<tp  and  bi  hold,  K2  also  holds,  so  see  that  case. 

case  K^i  K2  is  imaffected  by  execution  of  this  statement,  so  K2  still  holds  after  execution  of  this 
statement. 

case  Kzt  K3  is  \maffected  by  execution  of  this  statement,  so  K3  still  holds  after  execution  of  this 
statement. 

T4: 

J  is  unaffected  by  execution  of  because  neither  sends  nor  receives  messages.  The  only 
variables  that  appear  in  K  and  can  be  assigned  by  Sii  are  those  appearing  in  qi.  Since  gij  holds, 
qi  is  false,  so  execution  of  Sij  either  truthifies  qi  or  leaves  it  unchanged.  Variable  qi  occurs  only 
positively  in  fiT,  so  truthifying  qi  never  falsifies  K. 

T5  :  {1}  receive  yi  {J  A  {->i3tok{yi)  =>  K[qi  :=  fake])  A  {i8tok{yi)  =»  tp  =  »  A  ->hi  /^tc=  tokval{yi))} 

Adding  elements  to  pi  never  falsifies  J  or  K,  and  J  and  K  do  not  depend  on  yi  or  vti,  so  J  and 
K  are  preserved  execution  of  this  statement.  We  argued  in  Section  4  that  the  other  conjuncts 
in  the  postcondition  hold  after  execution  of  this  statement. 

T6  :  {I  A  Ip  =  I  A  -thi  Atc=  tokval{yi)}  {hi  :=  true  U  :=  tokval{yi))  {1} 

J  is  unaffected  execution  of  this  statement  because  messages  are  neither  sent  nor  received. 
The  proof  that  K  is  preserved  is  case  analysis  on  the  disjunct  of  K  that  holds  initially.  Note 
that  the  only  variables  or  state  functions  appearing  in  K  that  are  affected  by  execution  of  this 
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sUtement  are  tc  and  ht,. 

case  Kit  The  first  conjunct  of  Ki  is  unaffected  by  execution  of  this  statement.  We  now  consider 
the  second  conjunct.  If  (Vfc  >  t  :  x»,fc  =  ®)>  then,  since  /p  =  t  appears  in  the  precondition, 
we  can  conclude  that  Ki  holds  after  hi  is  set  to  true  by  this  statement.  If  (Vib  >  t :  Xi,k  =  0) 
does  not  hold,  then  there  exist  k  and  m  such  that  k>i  and  m  €  Xi,fc-  I  implies  x»,i  =  0,  so  it 
must  be  that  k>i  and  m  €  Xt,fc-  Prom  the  precondition  of  this  triple,  i  =  tp,  so  i  <  tp  <  k. 
Thus,  by  the  third  conjunct  of  Ixi  ■<  is(m),  so  by  Ji,  bi  holds.  Since  tp  =  i  and  bi  hold, 
Ki  must  hold,  so  see  that  case. 

case  Kit  Ki  is  unaffected  by  execution  of  this  statement,  so  Ki  still  holds  after  execution  of  this 
statement. 

case  Kit  In  this  case,  tc  holds.  Let  m  be  the  element  of  such  that  ts(m)  =  hr,+i.  Execution 
of  this  statement  changes  tc  from  tokval(pi)  to  tokval{yi)  V  bi,  so  K3  is  not  falsified. 

T7  :  {Z  A  jFrfjj  :=  false]}  x,  :=  y,  {I  A  K[qi  ;=  false]} 

J  is  unaffected  by  execution  of  this  statement  because  messages  are  neither  sent  nor  received. 
Note  that  Xi  can  appear  in  K  only  in  qi.  Since  K[qi  :=  false]  hclds  before  execution,  and  since  qi 
occurs  only  positively  in  K,  changing  qi  can’t  falsify  K.  Finally,  K[qi  :=  false]  is  unaffected  by 
execution  of  this  statement. 

T8:  {lhK[qi  ’.=  false]}  Ri{I} 

J  is  unaffected  by  execution  of  this  statement  because  messages  are  neither  sent  nor  received. 
The  only  variables  that  appear  in  K  and  can  be  assigned  by  Ri  are  those  appearing  in  qi.  Since  qi 
occurs  only  positively  in  K,  and  since  K  holds  even  if  qi  doesn’t  (because  Klqi  :=  false]  appears  in 
the  precondition),  execution  of  this  statement  caimot  falsify  K. 

T9  :  {I  A  ft  A  hi}  (send  mktok{ii  V  6j)  to  t  —  1  hj  :=  false  bi  :=  false)  {1} 

First,  we  show  that  execution  of  this  statement  dianges  fp  firom  x  to  i  -  1.  Since  hi  holds,  we 
conclude  (using  I)  that  tp  =  t.  It  follows  from  the  definition  of  tp  that  (Vj  #  i  +  1 :  Ixj  ■<  Ixi+i). 
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Since  hi  holds,  /  implies  #  0  and  crj®*  =  pj®*.  Let  m  be  the  element  of  ff‘®*  with  the 
largest  timestamp;  thus,  Ixi+i  =  ti(m).  Since  oj®*  =  pj®*,  m  €  pi,  so  (using  /)  ts(m)  t/fi,  i.e., 
£si+i  vti.  Thus,  by  transitivity  of  (Vj  i  +  1  :  Ixj  <  vU).  Since  this  statement  does  not 
affect  Ixj  for  j  ^  t,  after  execution  of  this  statement,  (Vj  ^  {t,t  +  1}  ;  hj  ^  vti)  holds.  After 
execution  of  this  statement,  hi  ~  inc{vti,i).  By  definition  of  -<,  vti  -<  inc{vti,i),  so  by  transitivity, 
(Vj  ^  {i,i  +  1}  :  hj  -<  vti)  holds  after  execution.  Since  hi+i  ^  vU  -<  mc(t;fi,t),  after  execution, 
hi+i  ■<  hi  holds.  Thus,  after  execution,  (Vj  t :  hj  ~<  hi)  holds,  so  by  definition  of  tp,  tp  =  t  - 1. 

Ji  is  preserved  because  after  execution  of  this  statement,  hi  is  larger  than  the  timestamps 
of  all  messages  previously  sent  by  process  i.  To  show  that  Jutk  is  preserved,  it  suffices  to  show 
^  *nc(vti,i),  since  hi  =  inc{vti,i)  after  execution.  Let  m  be  the  member  of  of®*  with  the 
largest  timestamp  (this  is  well-defined  since  hi  and  /  imply  that  ^  0  and  that  the  timestamps 
of  messages  in  o‘®^  are  totally-ordered  by  -<);  thus,  hi+i  —  ts(m).  Since  hi  holds,  we  conclude 
using  I  that  <tJ®*  =  p‘®*,  so  m  €  pi,  which  implies  (using  I)  that  ts{m)  ■<  vU.  By  definition  of  -<, 
vti  -<  inc(vti,i).  Thus,  Zr.+i  ^  vti  inc(vti,i). 

Next  we  show  that  is  preserved.  Fix  j,  k,  and  m  €  Xi,fc  (we  have  renamed  the  bound 
variable  t  in  (13)  to  j).  We  do  a  case  analysis  on  the  relative  values  of  j,  k,  and  tp. 

case  fe  <  Ip  <  js  Since  holds,  nhj  ■<  fa(m).  If  tp  ^  k,  then  k  <  tp  <  j  is  preserved  by 
execution  of  this  statement,  so  we  must  show  nhj  ■<  ts{m),  which  we  already  know  to  be 
true.  Suppose  tp  =  k.  After  execution  of  this  statement,  -<{k  <  tp  <  j),  so  we  must 
show  hj  -<  to(m).  We  give  a  proof  by  contradiction:  we  suppose  -'{hj  <  ts{m))  and 
show  m  €  Pk,  which  contradicts  the  assumption  m  6  Xjjk-  I  implies  that  the  timestamps 
generated  by  each  process  are  totally  ordered  by  -<,  so  ts{m)  ^  hj.  Since  ip  =  t,  Jtok  implies 
hj  ^  hj-i  •  •  •  so  t3{tn)  ^  Let  m'  be  the  member  of  <7,^®*  with  the  largest 

timestamp  (this  is  well-defined  since  hi  and  I  imply  that  cr^  ^  0  and  that  the  timestamps 
of  messages  in  are  totally-ordered  hy  -<);  thus,  ttj+i  =  fs(m'),  so  fs(m)  ^  ts{m!).  Since 
hi  holds,  we  conclude  (using  I)  =  pj®*,  so  (using  7)  m'  e  p,,  hence  (again  using  7) 
ts{m!)  ^  vti.  Thus,  f«(m)  ^  t${m')  ■<  vU,  so  (using  7)  m  e  Pi.  Since  by  assumption  i  =  fe, 
mepk- 

case  fe  <  j  and  -'(fe  <tp<  j):  Since  Jjoj  holds,  hj  ■<  ts{m).  As  in  the  previous  case,  preservation 
of  Jhas  is  trivial  if  tp  #  j.  Suppose  tp  =  j.  After  execution  of  this  statement,  k  <tp  <  j,  so 
we  must  show  that  nhj  ■<  ts(m)  then  holds;  this  follows  immediately  firom  hj  ■<  t5(m)  and 
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the  fttet  thftt  the  value  of  ntcj  after  execution  of  this  statement  equals  the  value  of  lx j  before 
execution  of  this  statement. 

case  j  <tp<  k:  This  case  is  analogoiis  to  the  previous  case. 

case  J  <  k  and  -<(j  <ip  <  k):  This  case  is  analogous  to  the  first  case. 

Finally,  we  show  that  K  is  preserved  by  execution  of  this  statement.  Recall  that  execution  of 

this  statement  changes  tp  from  t  to  t  - 1.  Note  that  execution  of  this  statement  leaves  tc  unchanged. 

The  proof  that  K  is  preserved  is  by  case  analysis  on  the  disjunct  of  K  that  holds  initially. 

case  Kit  We  distinguish  two  subcases. 

case  (Vib  :  Xi,k  =  0)*  From  the  precondition  of  this  triple,  qi  holds.  Since  execution  of  this 
statement  does  not  affect  qi  or  Xi,k  for  all  k,  K\  continues  to  hold  after  execution  of  this 
statement. 

case  {3k  :  Xi,k  /  Since  Ki  and  htp  hold,  (Vfc  >  t  :  Xi,k  =  ®)  does  too.  This,  together 
with  the  assumption  {3k  :  Xi,k  0)t  implies  there  exists  k  such  that  k  <  i  and  x<,ik  #  0- 
Let  m  be  an  element  of  Xi,k’  Since  k  <  i  and  tp  —  t,  implies  hi  ■<  f5(m),  from 
which  we  conclude  using  Ji  that  bi  holds.  After  execution  of  this  statement,  tc  equals 
tiWbi,  so  Kz  then  holds. 

case  K^i  Since  i  =  tp,  K2  =  {^k  <  i  :  6jk)  V  bi.  If  the  left  disjimct  holds,  then  K2  still  holds 
after  execution  of  this  statement.  If  the  right  disjunct  holds  before  execution,  then  so  does 
Kz  (because  hi  holds  and  tp  =  t),  so  see  that  case. 

case  Kzi  tc  is  unchanged  by  execution  of  this  statement,  so  Kz  still  holds  after  execution  of  this 
statement. 

A.2  Proof  for  Process  0  in  Isolation 

The  verification  of  process  t  when  t  =  0  in  isolation  involves  the  following  triples,  in  addition  to 

those  discussed  above. 

TIO  :  {I  A  ->ho  A  tp  >  0  A  (Vy  :  =  0)}  send  mktok{faise)  to  N  ~  \  {I  h  ~>hQ  A  tp  >  0} 

First,  we  show  that  after  execution  of  this  statement,  tp  =  AT  -  1.  The  precondition  implies 

(Vj  :  {m  €  I  sender(m)  =  j}  =  0);  it  follows  from  the  definition  of  hj  that  hj  =  6  for  all 
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j.  After  execution  of  this  statement,  Ixq  =  inc{vto,Q).  From  the  definition  of  -<,  0  -<  »nc(uf,0)  for 
all  vector  times  vt.  From  the  definition  of  tp,  we  conclude  that  after  execution  of  this  statement, 
(Vj  ^  0  :  X  Ixo)  holds,  hence  tp  =  N  -1. 

J\  is  preserved  because  after  execution  of  this  statement,  Ixq  is  larger  than  the  timestamps  of 
all  messages  previously  sent  by  process  0.  To  show  that  Jtok  holds  after  execution  of  this  statement, 
we  need  to  show  that  0^0  and  0  ■<  inc(vfo.O);  both  of  these  facts  follow  from  the  definition  of 
■<.  To  see  that  Ji^s  holds  after  execution  of  this  statement,  note  that  Ixj  =  0  and  (by  the  same 
reasoning)  nlxj  =  0  for  j  ^  0.  Thus,  Ji^u  holds  trivially  for  j  ^  0.  For  j  =  0,  note  that  there  is  no 
process  k  such  that  fc  <  0,  and  recall  that  after  execution  of  this  statement,  tp  =  N  -1.  Thus,  the 
only  non-vacuous  conjunct  in  Jjaj  is  the  bottom  one.  This  conjunct  holds  because  nlxo  =  0. 

The  conjunct  >  0  in  the  postcondition  holds  after  execution  because  tp  then  equals  N  —  1, 
as  shown  above.  Finally,  note  that  -</io  is  unaffected  by  execution  of  this  statement. 

Til  :  {I  A  -^ho  A  >  0}  Inito  {T} 

Validity  of  this  triple  follows  by  the  same  reasoning  as  for  triple  Tl. 

T12  :  {I  A  ho}  (send  mktok{false)  to  N  ho'.—  false  bo  :=  false)  {1} 

J  is  preserved  by  the  same  reasoning  as  for  triple  T9.  We  now  show  that  execution  of  this 
statement  truthifies  Ki.  Since  ho  holds,  we  conclude  (using  I)  that  tp  =  0  holds  before  execution 
of  this  statement,  so  -ihi^-i,  because  otherwise,  I  implies  tp  =  N  —  1,  which  contradicts  tp  =  0. 
By  the  same  reasoning  as  for  triple  T9,  after  execution  of  this  statement,  tp  =  N  —  1.  Thus,  Ki 
holds  vacuously  after  execution  of  this  statement. 

Finally,  we  discuss  one  proof  obligation  that  arises  when  using  the  foregoing  results  to  verify 
the  proof  outlines  given  in  Figure  1.  When  proving  the  second  branch  of  RELAY o,  the  following 
subgoal  arises: 

T  A  qo  A  ho  A  -'(fo  V  bo)  ^  Q 

We  assiune  the  antecedent  and  prove  the  consequent.  First,  we  show  that  Ki  must  hold,  by  showing 
that  K2  and  K3  do  not.  Since  ho  holds,  we  conclude  (using  I)  that  tp  =  0.  Prom  tp  =  0  and  -<bQ, 
we  conclude  that  K2  does  not  hold.  From  ho  and  -'(<0  V  bo),  we  conclude  that  Kq  does  not  hold. 
Thus,  assuming  the  antecedent  holds,  Ki  also  holds.  It  is  easy  to  show  that  Ki  and  the  antecedent 
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together  imply  Q. 


A.3  Interference  Freedom 

Most  of  the  interference  freedom  obligations  can  be  discharged  easily,  using  derived  rules  such  as 
Interference  Freedom  for  Synchronously  Altered  Assertions  [LG81].  One  non-trivial  triple  that 
arises  in  the  proof  of  interference  freedom  is 

{K[qj  :=  false]  AKA  K[qi  :=  false]}  Ri  {K[qj  :=  false]} 

where  j  #  t.  By  the  Assignment  Axiom,  validity  of  this  triple  follows  from 

K[qj  :=  false]  AKA  K[qi  :=  false]  =>  K[qi  :=  false,  qj  :=  false] 

We  assume  the  antecedent  and  prove  the  consequent.  If  K2  holds,  then  K2[qi  :=  false,  qj  :=  false] 
holds,  since  qi  and  qj  do  not  appear  in  K2.  The  same  reasoning  applies  to  K3.  If  neither  K2  nor 
K3  hold,  then  Ki\qj  :=  false]  A  K\  A  Ki\qi  :=  false]  must  hold.  We  show  by  contradiction  that  this 
implies  i  <  tp.  Suppose  i  >  tp;  then 

Ki=qiA  (VA  :  Xi.k  =  0) 

A(Vi'  >tp:  i'  ^  i  (fi  A  (Vk  :  Xi'.fc  =  0)) 

A  {htp  =>■  (VA  >  tp  :  Xtp,k  =  0)) 

so  Ki[qi  :=  false]  =  false  A  •  •  •,  so  Ki[qi  :=  false]  does  not  hold,  which  contradicts  the  assumption 
above.  Thus,  i  <  tp.  Analogous  reasoning  shows  that  j  <  tp.  Since  i  <  tp  and  j  <  tp,  K\  is 
independent  of  ft  and  qj.  By  assumption,  Ki  holds,  so  Ki[qi  :=  false,  qj  :=  false]  also  holds. 


26 


